Splunk Search

Flash Timeline in view for SavedSearch

Path Finder

I'm having trouble getting a flash timeline to populate with the results of a saved query in a view I'm trying to make. Is this possible? I've gotten it to work just fine for inline searches.

Here's my view xml:

<?xml version='1.0' encoding='utf-8'?>
<view template="dashboard.html">
<label>Month to Date - Purchases vs. Trials</label>
<module name="AccountBar" layoutPanel="appHeader" />
<module name="AppBar" layoutPanel="navigationHeader" />
<module name="Message" layoutPanel="messaging">
<param name="filter">*</param>
<param name="clearOnJobDispatch">False</param>
<param name="maxSize">1</param>
</module>

<module name="HiddenSavedSearch" group="Total Downloads from TSC Store Purchases" layoutPanel="panel_row1_col1">
<param name="savedSearch">Downloads from TSC Store Purchases - Month to Date</param>
<param name="useHistory">True</param>
<module name="JobProgressIndicator"/>
<module name="ResultsHeader">
<param name="entityName">events</param>
<param name="entityLabel">downloads</param>
<module name="HiddenChartFormatter">
<param name="chart">pie</param>
<param name="charting.chart.sliceCollapsingThreshold">0.01</param>
<param name="charting.chart.sliceCollapsingLabel">Other</param>
<module name="FlashChart">
<param name="height">250px</param>
<param name="width">99%</param>
<param name="enableResize">False</param>
</module>
</module>
<module name="ShowHideHeader">
<param name="hideChildrenOnLoad">true</param>
<param name="label">All Results</param>
<param name="mode">serializeAll</param>
<module name="SimpleResultsTable" />
</module>
<module name="FlashTimeline">
<param name="renderer">auto</param>

<param name="maxBucketCount">1000</param>
<param name="enableResize">false</param>
<param name="height">250px</param>
<param name="width">99%</param>
</module>
</module>
</module>
</view>
Not sure why, but the flash timeline just isn't populating.

Can anyone shed some light on this for me? Any help is much appreciated

Tags (1)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

The problem I think stems from the following sequence of facts

1) that your saved search is scheduled

2) that <param name="useHistory">auto</param> means that the HiddenSavedSearch will load the most recently scheduled search results,

3) that when searches are run by the scheduler they are by default run with status_buckets set to 0

4) The FlashTimeline basically needs the 'status buckets' to render itself.

If a search is kicked off with status_buckets set to 300, then there will be a lot of buckets (less than 300 generally), and if it's set to 1, then there will only be one giant bucket on FlashTimeline, and if it is set to 0, there will no bucket in your FlashTimeline at all - only an empty chart.

Solution 1:

You can edit the stanza for your savedsearch in savedsearches.conf and add this key:

dispatch.buckets = 300

Solution 2:

Change the Config so that useHistory is set to False. This will mean that the search is kicked off ad-hoc in the UI itself, and the UI will notice that the FlashTimeline module is there and dispatch the search with sufficient status buckets.

Note when considering both of these options that raising status_buckets has a significant effect on search efficiency.

savedsearches.conf docs mention the "dispatch.buckets" key

View solution in original post

SplunkTrust
SplunkTrust

The problem I think stems from the following sequence of facts

1) that your saved search is scheduled

2) that <param name="useHistory">auto</param> means that the HiddenSavedSearch will load the most recently scheduled search results,

3) that when searches are run by the scheduler they are by default run with status_buckets set to 0

4) The FlashTimeline basically needs the 'status buckets' to render itself.

If a search is kicked off with status_buckets set to 300, then there will be a lot of buckets (less than 300 generally), and if it's set to 1, then there will only be one giant bucket on FlashTimeline, and if it is set to 0, there will no bucket in your FlashTimeline at all - only an empty chart.

Solution 1:

You can edit the stanza for your savedsearch in savedsearches.conf and add this key:

dispatch.buckets = 300

Solution 2:

Change the Config so that useHistory is set to False. This will mean that the search is kicked off ad-hoc in the UI itself, and the UI will notice that the FlashTimeline module is there and dispatch the search with sufficient status buckets.

Note when considering both of these options that raising status_buckets has a significant effect on search efficiency.

savedsearches.conf docs mention the "dispatch.buckets" key

View solution in original post

Path Finder

Thanks for your response.

It appears that the FlashTimechart module only populates for searches that aren't using stored results (meaning the search should run when the page loads). I ended up just creating a saved search that timecharts count(events) on a per_hour() basis. All is right as rain.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!